Overview

overview

8

Static

static

3

test.exe

windows7-x64

8

test.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    36s
  • max time network
    28s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 01:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    test.exe

  • Size

    75KB

  • MD5

    07202b2ac038a5853ee4fb88dcb9a899

  • SHA1

    1cbe3734d3594cd2430e699e63972da458562dd3

  • SHA256

    90cee64c0da47de7b66c5f50120051e3797f14c5609aea1c5e1aaf10e10537a8

  • SHA512

    75c79157f14bb226ea3fedc011e79bfd57aed6a94f1a97c518755289da6bbcb9eeeeb327d45e70ed1e7d69e24a863f76ad0fc78dda593817b513c678de10c0c5

  • SSDEEP

    1536:GOXQrSji6XN9+GVqQ7zgN9ebqvjoJExemwHX9TM:GOXQA+QqQfgNY0emcQ

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Disables Task Manager via registry modification
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Modifies registry key 1 TTPs 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 24 IoCs
  • Suspicious use of SendNotifyMessage 16 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\test.exe
    "C:\Users\Admin\AppData\Local\Temp\test.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\760.tmp\test.bat" "C:\Users\Admin\AppData\Local\Temp\test.exe""
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:3040
      • C:\Windows\system32\taskkill.exe
        taskkill /im explorer.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2076
      • C:\Windows\system32\reg.exe
        Reg Delete HKLM\System\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:2608
      • C:\Windows\system32\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Win32 /t REG_SZ /d C:\Windows\Win32.exe /f
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:2672
      • C:\Windows\system32\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        3⤵
        • Modifies registry key
        PID:2676
      • C:\Windows\system32\reg.exe
        reg Delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:2868
      • C:\Windows\system32\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
        3⤵
        • Modifies registry key
        PID:2616
      • C:\Windows\explorer.exe
        explorer.exe
        3⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2476

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\760.tmp\test.bat
    Filesize

    1KB

    MD5

    3423bfcd5d796f351d6877277656dce0

    SHA1

    fd97b809225bd6410667ef6186b9b65632566a99

    SHA256

    83a6299c3d4dcb0a864de86be96059106125204e949098d4c718f5312496b47c

    SHA512

    8af1c2c263d6385beda9e213988447dd1b79223ee286fec849d067fa0d4950af8cfafdf47812c59723558f1f28b693e077edc61308c9859d33f9e2838c4ddde6

    Download Submit